Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-09 09:27:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa5b44c3904173c7bf33cd22d7b8ba76238c4e40
keyboardcrunch-sentinelone-…/queries/windows/screensaver_change.yml
T

17 lines
560 B
YAML
Raw Blame History

title: Screensaver Change
description: Detects malicious changes to screensaver through Registry changes, filtering
expected processes.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
tactic: Persistence, Privilege Escalation
technique: T1546
subtechnique: 002
operating_system: windows
query: RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType
In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe"))
false_positives: null
tags: null
Reference in New Issue View Git Blame Copy Permalink